Collecting customers’ personally identifiable information (PII data) is part and parcel of running a business, whether you’re making a sale, scheduling an appointment, or providing customer support.
As data collection technologies evolve, so do regulations designed to protect consumer personal information. While legal protections vary worldwide, most policies share a common thread — Data Subject Access Requests, or DSARs.
In this guide, you’ll learn:
- What a DSAR is, and what it looks like in practice
- Everything you need to know about the DSAR process
- Whether your business must comply with DSAR-related regulations
- The maximum time frames for data processing
- Who should be involved in resolving privacy compliance requests
- What the actual DSAR resolution process looks like
Whether or not your company uses a dedicated data privacy platform, you still have a responsibility to comply with applicable laws — this guide can help.
What Is a DSAR?
Numerous jurisdictions worldwide have already enacted data privacy laws, some of which we’ll discuss below. Many of these privacy regulations stipulate a consumer’s right of access, or the legal entitlement to access their data.
While each law provides consumers with different rights, many require that consumers can:
- Access the personal data that a company has collected from them
- Request the data be securely sent to them
- Require companies to delete any personal information they’ve stored
- Opt out of data sales to third-party vendors
As a result, many data privacy laws include requirements for Data Subject Requests (DSRs) and Data Subject Access Requests (DSAR).
When it comes to DSARs and DSRs, some are using the terms interchangeably. However, it’s important to understand their distinct differences.
Where DSARs serve the specific purpose of requesting access to held data and its use, DSRs encompass the many other data subject rights available to requesters. DSRs cover the rights to:
- Data correction or rectification
- Pause data processing
- Data deletion or erasure
- Restrict data usage
- Transfer data to a different controller (data portability)
Fulfilling both DSAR and DSR requirements is important to ensure your company is staying compliant.
What Information Can Be Requested?
Data subjects (requesters) can request all personal data a company holds on them, as well as a summary of whom that data may have been shared with or sold to, as this is considered relevant information.
- Personal data: Any information relating to an identified or identifiable natural person.
Who Must Comply With DSAR Regulations?
When a consumer submits a data subject access request to a company within the jurisdiction of a data privacy law, the company is legally obligated to complete and respond to the request to the extent of the applicable law.
Does your company need to worry about the DSAR process? Review the following list of common data privacy to determine your business’s legal obligations for a DSAR response:
- CCPA/CPRA — The California Consumer Privacy Act of 2018 (CCPA) requires that businesses operating in California or providing services to California residents must honor consumer requests to access and delete their collected personal data and opt out of third-party vendor access. The California Privacy Rights Act (CPRA) amended and expanded the rights stipulated in the CCPA.
- CPA — The Colorado Privacy Act (CPA) defines consumer data access rights, business obligations to protect personal data, and legal recourse in the event of violations. The law goes into effect in July of 2023.
- UCPA — The Utah Consumer Privacy Act (UCPA) shares similarities with the CCPA and the VCDPA but applies specifically to Utah residents, Utah businesses, and companies doing business there. This data protection act will take effect in December of 2023.
- VCDPA — The Virginia Consumer Data Protection Act (VCDPA) is deeply influenced by the CCPA when it comes to DSRs/DSARs and establishes various legal procedures for violations in the state of Virginia.
- GDPR — The General Data Protection Regulation (GDPR) was established in 2018. GDPR compliance is extremely important as It remains one of the most nuanced, ironclad data privacy laws in the world, and stipulates legal obligations for both EU-based companies and businesses collecting information from EU residents.
Master the data privacy basics: Read the Privacy Primer
How Much Time Do You Have To Respond to a DSAR?
The amount of time an organization has to complete and respond to a DSAR depends upon the jurisdiction. Most laws require businesses to oblige and acknowledge requests within 30-45 days.
However, some jurisdictions allow companies to request extensions — GDPR allows extensions of up to two months.
To meet legal compliance deadlines, it’s crucial for your business to establish a system for logging and processing DSARs. If your company misses a deadline for completion, response, or extension, you could be subject to legal action.
Who Can Conduct a DSAR?
Since the data privacy laws listed above are relatively new, your company may not have established a standard operating procedure (SOP) for the DSAR process yet.
Depending on individual employees’ access to certain data in your company’s network, not all team members may be authorized to manage requests. To complete a DSAR, an employee must be able to do the following:
- Access all of a consumer’s personal data
- Communicate directly with DSAR inquirers
- Liaise with third parties to whom the company has sold a consumer’s personal data
Depending on your company’s network structure, the number of employees in your IT department, or employee access to your data privacy platform, your company will need to take one of two approaches when creating a DSAR SOP:
- Extend appropriate permissions to all employees who will complete requests
- Delegate DSAR processing to employees with specific access
Who Is Involved in the DSAR Process?
- Data controller: The data controller is the organization that determines the purposes and means of the processing of personal data.
- Data protection officer (DPO): The DPO’s primary role is ensuring their organization processes personal data from employees, customers, providers, or other data subjects in compliance with applicable laws and data privacy regulations.
- Data Subject/Requester: The requester makes the DSAR submission.
What Happens After Receipt of the Request?
Organizations must verify the requestor‘s identity before responding to a DSAR to ensure they’re not disclosing personal data to unauthorized individuals. Identity verification is vital to make sure sensitive information doesn’t fall into the wrong hands.
- Acknowledge receipt of the request: Organizations must confirm receipt of the DSAR within a certain timeframe.
- Exemptions: There may be exemptions under certain data privacy regulations that allow organizations to refuse to fulfill a DSAR in certain circumstances.
- Compliance: Organizations must ensure that they comply with relevant data protection laws when processing personal data in response to a DSAR.
- Safeguards: Organizations should implement and follow appropriate technical and organizational measures to ensure the security of personal data.
- Automation: Organizations may use automated decision-making to ensure they provide sufficient information about the logic involved in the DSAR process.
- Data collection and profiling: Organizations must provide information about the categories of personal data being processed and any profiling that’s being done.
Step-By-Step DSAR Response Process
We’ve covered quite a bit of ground about DSARs, but what might the DSAR process actually look like for your business? Let’s explore four steps that could help structure your SOP for DSAR fulfillment.
Step 1: Collect and log requests
Note: DataGrail makes collecting and organizing inbound DSARs easy with user-centric forms that automatically populate a centralized dashboard.
- Your first DSAR fulfillment task is to formalize the request collection process. Individuals must know their data rights and have an easy way to submit a request. Setting up customer-facing webforms is one of the multiple ways to enable this. To make the process as intuitive as possible, these forms should be branded, compatible with all devices, easily accessible, and user-friendly.
- Organizations must accommodate DSARs within a legally specified time frame and creating a log of inquiries is crucial to successful request management. Privacy leaders need to establish an infrastructure to handle DSARs, including:
- Consumer request channels, like:
- An online form
- A dedicated email address
- A phone extension or hotline
- An in-person request
- Intake and logging standard operating procedures
- A logging system to track various metrics (consumer name, request date, deadline, and more)
- Consumer request channels, like:
Step 2: Verify the subject’s identity and review requested information
Note: DataGrail’s Smart Verification uses pre-existing data to automatically authenticate user identities
- To protect individuals’ data, it’s critical to verify a requester’s identity before processing the request.
- Caution is important, but so is restraint. The Irish Data Protection Commission’s (DPC) guidelines advise organizations to tread carefully when responding to a DSAR, stating that:
- Proof of identity should only be requested where reasonable and proportionate to do so
- Controllers should only request the minimum amount of further information necessary
- Verification is crucial, but companies should avoid asking customers to submit additional data or resubmit passports and IDs. How then can you stop fraudulent DSR requests while still upholding data subject privacy? The least intrusive verification method should leverage pre-existing data and request two-factor authentication. For instance, to finalize a request, an organization may ask the data subject to:
- Provide their phone number
- Receive a text or call to the number, containing a verification code
- Enter the verification code
- Select a security question
- Answer it accurately
- When the requester’s identity is verified, ensure the request’s specific ask is clear to the person or team handling the DSAR fulfillment process.
- After reviewing the request, it’s best practice to acknowledge the contact. Recognizing the request gives the data subject peace of mind knowing the DSAR arrived and the appropriate actions will be taken. Several laws stipulate how quickly a company should respond to and acknowledge a request.
Step 3: Gather, package, and review the data
Note: DataGrail’s powerful Privacy Control Center automates this process to reduce business risk via human error and build trust with customers. Below is a step-by-step manual fulfillment guide.
- Standard operating procedures for manual DSAR fulfillment should outline:
- The various network locations employees should search for stored data
- Where employees should compile an individual’s information
- Which employees may access the stored data and the compilation document
- Data is often fractured or duplicated across a company’s operations, systems, and networks. Whether it’s stored in a CRM, PDF file, or application, organizations must be accountable for every bit of personal data used, processed, or stored.
- Collecting the requested data and information could require different permissions based on your industry or the type of consumer submitting the DSAR. Some examples:
- If a former client of a law firm files a request, only specific employees may have access to their information per their jurisdiction’s counsel-client confidentiality laws
- If your company is transitioning from paper files to a fully electronic system, customer data could temporarily be stored both digitally and physically — and different employees may have access to each storage type
- If you’re in the healthcare industry, your business and employees must also accommodate medical confidentiality laws — like HIPAA, for US-based companies
- Reviewing the gathered data is vital: Ensuring the data meets internal requirements for upholding or rejecting the request is important. For instance, data can’t be revealed if the disclosure infringes upon another person’s privacy rights.
- It’s crucial that a logging system accommodates the various workflows in the DSAR fulfillment process. As employees complete requests, they should log:
- The date and time of task completion
- The authorization they requested and/or received to complete the task
- The locations of the data they accessed
- Internal and external communications required to address the request
- While complying with the law and consumer requests are the most important parts of the DSAR process, logging the steps taken will help a company remain transparent in the event of a regulatory audit or future requests from the same consumer.
Step 4: Provide the data to the requester
Note: For DataGrail users, this step is also automated.
- Once the logging process is complete and all relevant data is collected, it’s time to complete the request and send the requester their data.
- Deliver the report using clear and plain language so that it’s easy for users to understand. This can include:
- A copy of the personal information
- The purpose of processing that data
- The categories of personal information collected
- The timeline for data retention
- It’s important to note that different regulations stipulate specific acknowledgment procedures. For example, the GDPR requires that requests made electronically must be acknowledged electronically unless otherwise requested by the consumer.
- The request can now be marked “complete.”
- Receiving the response: Organizations must respond to DSARs in a timely manner and provide the requested information unless there are exemptions that apply.
- Undue delay: Organizations must respond to DSARs without undue delay unless there are reasonable grounds for extending the response timeframe.
Confidently Navigate the DSAR Process With DataGrail
Depending on your company’s jurisdiction, the consumers you engage with, and your existing data privacy safeguards, establishing a compliant DSAR process to meet DSAR requirements could be simple, or require a significant front-end time investment.
As data privacy laws continue to take shape worldwide, your business must develop a DSAR solution and remain compliant with all relevant laws.
DataGrail provides innovative data privacy solutions for modern businesses. Our all-in-one data privacy platform helps you stay compliant with international laws, build brand trust, and outsmart business risk.
Implementing a highly automated, formal process for fulfilling DSARs is easier than ever thanks to the DataGrail Integration Network. With over 2,000+ connnectors, it’s the industry’s largest.
Whether your business recently embraced digital technologies or has worked electronically for decades, DataGrail can help revolutionize your data privacy operations.
DSAR Process FAQs
Who can submit a DSAR?
Any data subject — an employee, contractor, supplier, partner, or customer — can submit a DSAR to an organization responsible for protecting their personal data in any clearly communicated way. This includes verbal, written, and electronic requests via email or social media.
In some cases, a third party may submit a DSAR on behalf of an individual. Some examples include:
- A friend or relative is acting as an authorized agent to assist with a request
- A parent or guardian requests information on behalf of a child
- A legal official submits a request on behalf of a client
- A person designates an authorized agent to process requests on their behalf
Can a company refuse a subject access request?
Protecting sensitive data and relevant information related to personal data is the top priority. A company may therefore refuse DSAR fulfillment on the legal basis that a request is suspected to be unfounded, excessive, or untrue. It’s a good idea to review the applicable laws and regulations to see the specific reasons for which you may need to reject a request.
What are the consequences of DSAR non-compliance?
Organizations that don’t meet DSAR compliance obligations are technically operating illegally and may be subject to penalties if they fail to comply with data privacy regulations.
The penalties for non-compliance may vary depending on the data privacy regulations that apply, but they can include fines, legal action, and reputational damage.
- ICO and supervisory authority: The Information Commissioner’s Office (ICO) in the UK and supervisory authorities in other jurisdictions are responsible for enforcing data privacy regulations and investigating complaints related to DSARs and data breaches.
Can organizations charge a “reasonable fee” for providing access to personal data through a DSAR?
In most cases, organizations aren’t allowed to charge fees for DSAR fulfillment. However, if the fulfillment team feels as though the request is unfounded or excessive, they can apply a “reasonable charge” to cover costs. Please note that almost all DSAR-related charges can’t provide profit to a company.